Securing an infrastructure is a complex task of balancing business needs against security risks.‎ With the discovery of new vulnerabilities almost on a daily basis, there is always the potential for an intrusion.‎ In addition to online intrusions, physical incidents like fires, floods, and crime all require a solid methodology for incident handling to be in place to get systems and services back online as quickly and securely as possible.‎

The first part of this section looks at the invaluable Incident Handling Step-by-Step model, which was created through a consensus process involving experienced incident handlers from corporations, government agencies, and educational institutes, and has been proven effective in hundreds of organizations.‎ This section is designed to provide students a complete introduction to the incident handling process, using the six steps (preparation, identification, containment, eradication, recovery, and lessons learned) one needs to follow to prepare for and deal with a computer incident.‎

The second part of this section examines from-the-trenches case studies to understand what does and does not work in identifying computer attackers.‎ This section provides valuable information on the steps a systems administrator can take to improve the chances of catching and prosecuting attackers.‎

SEC504.‎2: Computer and Network Hacker Exploits - Part 1

Seemingly innocuous data leaking from your network could provide the clue needed by an attacker to blow your systems wide open.‎ This day-long course covers the details associated with reconnaissance and scanning, the first two phases of many computer attacks.‎

Your networks reveal an enormous amount of information to potential attackers.‎ In addition to looking for information leakage, attackers also conduct detailed scans of systems, scouring for openings to get through your defenses.‎ To break into your network, they scope out targets of opportunity, such as weak DMZ systems and firewalls, unsecured modems, or the increasingly popular wireless LAN attacks.‎ Attackers are increasingly employing inverse scanning, blind scans, and bounce scans to obscure their source and intentions.‎ They are also targeting firewalls, attempting to understand and manipulate rule sets to penetrate our networks.‎ Another very hot area in computer attacks involves Intrusion Detection System evasion, techniques that allow an attacker to avoid detection by these computer burglar alarms.‎

If you do not have the skills needed to understand these critical phases of an attack in detail, you will not be able to protect your network.‎ Students who take this course and master the material will understand these attacks and the associated defenses.‎

SEC504.‎3: Computer and Network Hacker Exploits - Part 2

Computer attackers are ripping our networks and systems apart in novel ways, while constantly improving their techniques.‎ This day-long course covers the third step of many hacker attacks: gaining access.‎

Attackers employ a variety of strategies to take over systems from the network level up to the application level.‎ This section covers the attacks in depth, from the details of buffer overflow and format string attack techniques to the latest in session hijacking of supposedly secure protocols.‎ Additionally, you will get hands-on experience in running sniffers and the incredibly flexible Netcat tool.‎

Administrators need to get into the nitty-gritty of how the attacks and their associated defenses work if they want to effectively defend against these invasions.‎ For each attack, the course explains the vulnerability, how various tools exploit it, the signature of the attack, and how to harden the system or application against the attack.‎ Students who sign an ethics and release form are issued a DVD containing the attack tools examined in class.‎

It is imperative that you get written permission from the proper authority in your organization before using these tools and techniques on your organization's system.‎ You also need to advise your network and computer operations teams of your testing schedule.‎

SEC504.‎4: Computer and Network Hacker Exploits - Part 3

This course starts out by covering one of the attackers' favorite techniques for compromising systems: worms.‎ We will analyze worm developments over the last two years and project these trends into the future to get a feel for the coming Super Worms we will face.‎ Then the course turns to another vital area often exploited by attackers: web applications.‎ Because most organizations' homegrown web applications do not get the security scrutiny of commercial software, attackers exploit these targets using SQL injection, cross-site scripting, session cloning, and a variety of other mechanisms discussed in detail.‎

The course also presents a taxonomy of nasty denial-of-service attacks, illustrating how attackers can stop services or exhaust resources, as well as what you need to do to prevent their nefarious deeds.‎

Once intruders have gained access into a system, they want to keep that access, preventing pesky system administrators and security personnel from detecting their presence.‎ To fool you, attackers install backdoor tools and manipulate existing software on a system to maintain access to the machine on their own terms.‎ To defend against these attacks, you need to understand how attackers alter systems to discover the sometimes-subtle hints associated with system compromise.‎ This course arms you with the understanding and tools you need to defend against attackers' maintaining access and covering their tracks.‎

It is imperative that you get written permission from the proper authority in your organization before using these tools and techniques on your organization's system.‎ You also need to advise your network and computer operations teams of your testing schedule.‎

It is imperative that you get written permission from the proper authority in your organization before using these tools and techniques on your organization's systems.‎ You also need to advise your network and computer operations teams of your testing schedule.‎

SEC504.‎5: Computer and Network Hacker Exploits - Part 4

This day-long course covers the fourth and fifth steps of many hacker attacks: maintaining access and covering their tracks.‎ Computer attackers install backdoors, apply Rootkits, and sometimes even manipulate the underlying kernel itself to hide their nefarious deeds.‎ Each of these categories of tools requires specialized defenses to protect the underlying system.‎ In this course, we will analyze the most commonly used malicious code specimens, as well as explore future trends in malware, including BIOS-level and combo malware possibilities.‎

Attackers also cover their tracks by hiding files, sniffers, network usage, and active processes.‎ Additionally, super stealthy sniffing backdoors are increasingly being used to thwart investigations.‎ Finally, attackers often alter system logs, all in an attempt to make the compromised system appear normal.‎ This course gives you the tools and techniques you need to detect and respond to these activities on your computers and network.‎

It is imperative that you get written permission from the proper authority in your organization before using these tools and techniques on your organization's system.‎ You also need to advise your network and computer operations teams of your testing schedule.‎

SEC504.‎6: Hacker Tools Workshop

Over the years, the security industry has become smarter and more effective in stopping hackers.‎ Unfortunately, hacker tools are becoming smarter and more complex.‎ One of the most effective methods to stop the enemy is to actually test the environment with the same tools and tactics an attacker might use against you.‎

This workshop lets you put what you have learned over the past week into practice.‎ You will be connected to one of the most hostile networks on earth.‎ This network simulates the Internet and allows students to try actual attacks against live machines and learn how to protect against these attacks.‎ This workshop will supplement the classroom training that students have already received and give them flight time with the attack tools to better understand how they work.‎ Instructors will give guidance on exactly what is happening as exploits and defensive measures are running.‎ As students work on various exploits and master them, the environment will become increasingly difficult, so students will have to master additional skills in order to successfully complete the exercises.‎

Additionally, students can participate in the workshop's Capture the Flag event.‎ By penetrating systems, discovering subtle flaws, and using puzzle-solving techniques, you can test the skills you have built over the week in this engaging contest.‎ The Capture the Flag victors will win a prize.‎

In sum, paranoia is good!‎ Your laptop will be attacked.‎ Do not have any sensitive data stored on the system.‎ SANS is not responsible for your system if (actually, when) someone in the class attacks it in the workshop.‎ Bring the right equipment and prepare it in advance to maximize what you will learn and the fun you will have doing it.‎